Typed Memory Management in a Calculus of Capabilities David Walker (with Karl Crary and Greg Morrisett)

Slides:



Advertisements
Similar presentations
Garbage collection David Walker CS 320. Where are we? Last time: A survey of common garbage collection techniques –Manual memory management –Reference.
Advertisements

COS 441 Exam Stuff David Walker. TAL 2 Logistics take-home exam will become available on the course web site Jan write down when you download &
Type Analysis and Typed Compilation Stephanie Weirich Cornell University.
Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.
Names and Bindings.
Java™ How to Program, 9/e Presented by: Dr. José M. Reyes Álamo © Copyright by Pearson Education, Inc. All Rights Reserved.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
5. Memory Management From: Chapter 5, Modern Compiler Design, by Dick Grunt et al.
Run-time organization  Data representation  Storage organization: –stack –heap –garbage collection Programming Languages 3 © 2012 David A Watt,
Chapter Four Data Types Pratt 2 Data Objects A run-time grouping of one or more pieces of data in a virtual machine a container for data it can be –system.
An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)
Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.
Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.
Typed Assembly Languages COS 441, Fall 2004 Frances Spalding Based on slides from Dave Walker and Greg Morrisett.
Stacks, Heaps and Regions: One Logic to Bind Them David Walker Princeton University SPACE 2004.
Survey of Typed Assembly Language (TAL) Introduction and Motivation –Conventional untyped compiler < Typed intermediate languages –Typed intermediate language.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Proofs, Types, and Safe Mobile Code CoS 598E David Walker.
STAL David Walker (joint work with Karl Crary, Neal Glew and Greg Morrisett)
Laboratory for Computer Science Massachusetts Institute of Technology Ownership Types for Safe Region-Based Memory Management in Real-Time Java Chandrasekhar.
Type Systems For Distributed Data Sharing Ben Liblit Alex AikenKathy Yelick.
Run time vs. Compile time
A Type System for Expressive Security Policies David Walker Cornell University.
The environment of the computation Declarations introduce names that denote entities. At execution-time, entities are bound to values or to locations:
Region-Based Memory Management in Cyclone Dan Grossman Cornell University June 2002 Joint work with: Greg Morrisett, Trevor Jim (AT&T), Michael Hicks,
Secure Certifying Compilation David Walker Cornell University What do you want to type check today?
Chapter 9: Subprogram Control
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Computer Systems Principles C/C++ Emery Berger and Mark Corner University of Massachusetts.
Mechanized Metatheory for User- Defined Type Extensions Dan Marino, Brian Chin, Todd Millstein UCLA Gang Tan Boston College Robert J. Simmons, David Walker.
Advanced Type Systems for Low-Level Languages Greg Morrisett Cornell University.
Scalable Certification for Typed Assembly Language Dan Grossman (with Greg Morrisett) Cornell University 2000 ACM SIGPLAN Workshop on Types in Compilation.
Previous Next 06/18/2000Shanghai Jiaotong Univ. Computer Science & Engineering Dept. C+J Software Architecture Shanghai Jiaotong University Author: Lu,
1 Chapter 5: Names, Bindings and Scopes Lionel Williams Jr. and Victoria Yan CSci 210, Advanced Software Paradigms September 26, 2010.
CS3012: Formal Languages and Compilers The Runtime Environment After the analysis phases are complete, the compiler must generate executable code. The.
EE4E. C++ Programming Lecture 1 From C to C++. Contents Introduction Introduction Variables Variables Pointers and references Pointers and references.
Experience with Safe Memory Management in Cyclone Michael Hicks University of Maryland, College Park Joint work with Greg Morrisett - Harvard Dan Grossman.
Basic Semantics Associating meaning with language entities.
C++ Memory Overview 4 major memory segments Key differences from Java
COP4020 Programming Languages Names, Scopes, and Bindings Prof. Xin Yuan.
A Certifying Compiler and Pointer Logic Zhaopeng Li Software Security Lab. Department of Computer Science and Technology, University of Science and Technology.
Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.
Implementation and Evaluation of a Safe Runtime in Cyclone Matthew Fluet Cornell University Greg Morrisett Harvard University Daniel Wang Princeton University.
Chapter 6 Introduction to Defining Classes. Objectives: Design and implement a simple class from user requirements. Organize a program in terms of a view.
Secure Compiler Seminar 4/11 Visions toward a Secure Compiler Toshihiro YOSHINO (D1, Yonezawa Lab.)
Combining Garbage Collection and Safe Manual Memory Management Michael Hicks University of Maryland, College Park Joint work with Greg Morrisett - Harvard,
12/9/20151 Programming Languages and Compilers (CS 421) Elsa L Gunter 2112 SC, UIUC Based in part on slides by Mattox.
Object-Oriented Programming Chapter Chapter
OOPs Object oriented programming. Abstract data types  Representationof type and operations in a single unit  Available for other units to create variables.
Object Oriented Software Development 4. C# data types, objects and references.
© 2004 Pearson Addison-Wesley. All rights reserved October 31, 2007 Static Class Members ComS 207: Programming I (in Java) Iowa State University, FALL.
Alias Types David Walker Cornell University What do you want to type check today?
Sections Basic Data Structures. 1.5 Data Structures The way you view and structure the data that your programs manipulate greatly influences your.
Memory Management in Java Mr. Gerb Computer Science 4.
Automatic Memory Management Without Run-time Overhead Brian Brooks.
The Object-Oriented Thought Process Chapter 03
Data Types In Text: Chapter 6.
Type Checking and Type Inference
Unit-2 Objects and Classes
TALx86: A Realistic Typed Assembly Language
Names, Binding, and Scope
Matthew Fluet Cornell University
Programming with Regions
Type Systems for Region-based Memory Management
Matthew Fluet Cornell University
Matthew Fluet Cornell University
Linear Regions Are All You Need
Binding Times Binding is an association between two things Examples:
Type Systems For Distributed Data Sharing
RUN-TIME STORAGE Chuen-Liang Chen Department of Computer Science
CMPE 152: Compiler Design May 2 Class Meeting
Presentation transcript:

Typed Memory Management in a Calculus of Capabilities David Walker (with Karl Crary and Greg Morrisett)

PoPL '99David Walker, Cornell University2 The TAL Project Verify GC System Interface LinkCompile CodeTypes CodeTypes CodeTypes Code

PoPL '99David Walker, Cornell University3 TAL Goals Security –reduce the trusted computing base Software Engineering –eliminate dynamic failure modes; use static checking Flexibility –give programmers control over low-level details –admit varying compilation strategies

PoPL '99David Walker, Cornell University4 TAL Memory Management Garbage Collection: behind-the-scenes cleanup Problems: –Complex code in the trusted computing base –Under-specified invariants link client and collector (type tags, pointer restrictions, etc) –No control over memory management decisions Java, PCC, SPIN, ECC also use GC

PoPL '99David Walker, Cornell University5 Regions ( Tofte and Talpin ) Explicit but provably safe deallocation Static error checking Simple, constant-time routines Regions are allocated on a stack Objects are allocated into regions Topmost regions are deallocated

PoPL '99David Walker, Cornell University6 Towards Region-Based TAL letrgn  in f ( ) end;... more code region lifetime High-level Code:Low-level Code: Region lifetimes are unclear in low-level code Optimizations break the LIFO allocation structure CALL SITE: newrgn  ; mov r, RET; jmp f; RET: freergn  ; more code

PoPL '99David Walker, Cornell University7 Contributions The Capability Calculus: –A new statically-typed region-based intermediate language A syntactic proof of soundness Typed Assembly Language with primitives for safely allocating and freeing regions A translation from a variant of the Tofte- Talpin framework

PoPL '99David Walker, Cornell University8 A New Perspective Static Capabilities 22 11 22 x 11 Regions 22 Free region  1 x 11 22

PoPL '99David Walker, Cornell University9 The Capability Calculus A continuation-passing style language: e ::= let d in e | v[  1,...,  m ](v 1,...,v n ) |... With declarations for separate allocation and deallocation of regions: d ::= newrgn  | freergn  |  |...

PoPL '99David Walker, Cornell University10 Types Types: ints, tuples, polymorphic functions  –  [  ].(C,  1,...,  n ) ->  Capabilities: the collection of regions currently accessible –C ::= Ø |  | {  } | C 1  C 2 (first try)

PoPL '99David Walker, Cornell University11 An Example ; Initial Capability C = Ø let newrgn  1 newrgn  2 x  1 y  2 freergn  1 z =  1 y w =  1 z in... ; C = {  1 } ; C = {  1,  2 } ;  1 ok ;  2 ok ; C = {  2 } ;  2 ok ;  1 not ok! 234 y 22 11 4 y 22 z

PoPL '99David Walker, Cornell University12 A Second Example fun f[  1,  2 ]({  1,  2 }, x  2,...). let freergn  1 z =  1 x in... ; C = {  } f [ ,  ,...) ; C = {  1,  2 } ; C = {  2 } ;  2 ok ; instantiation causes  1 to alias  2 :

PoPL '99David Walker, Cornell University13 Aliasing Safe revocation requires that all copies of a capability be deleted Type instantiation creates aliases No local analysis can detect these aliases

PoPL '99David Walker, Cornell University14 Previous Work Linear Type Systems (Girard,Wadler,...) Syntactic Control of Interference (Reynolds) These systems prevent aliasing; we need to track aliasing.

PoPL '99David Walker, Cornell University15 Alias Tracking New Capabilities: {  1 } and {  + } {  1 } indicates  is unique {  + } indicates  is duplicatable {  + } = {  +,  + } but {  1 }  {  1,  1 } {  +,  + } is good but {  1,  1 } is bad

PoPL '99David Walker, Cornell University16 Safe Deallocation ; Capability = C newrgn  ; Capability = C  {  1 } freergn  ; Capability = C

PoPL '99David Walker, Cornell University17 An Example Revisited fun f[  1,  2 ]({  1 1,  2 1 }, x  2,...). let freergn  1 z =  1 x in... ; C = {   } f [ ,  ,...) ; C = {  3 1,  4 1 } f [  3,  4  4, …) ; C = {  1 1,  2 1 } ;  1 unique, C = {  2 1 } ;  2 ok ; No: {  1 }  {  1,  1 } ; Yes!

PoPL '99David Walker, Cornell University18 Subcapabilities Duplicatable capabilities: necessary to make functions sufficiently polymorphic Unique capabilities provide all of the privileges of duplicatable capabilities: {  1 }  {  + }

PoPL '99David Walker, Cornell University19 Using Subcapabilities fun g[  ,   ]({   +,   + },  ,  ,...). … ; neither region is deallocated ; Current Capability = {  1 } let x  in g [ ,  ](x, x,...) ; ok: {  1 }  {  + } = {  +,  + }

PoPL '99David Walker, Cornell University20 Final Pieces Solution: bounded quantification allocate regions ; grants unique capabilities... | jump to f ; lose some privileges: {  1 }  {  + } |... deallocate regions ; requires unique capabilities, ; but we’ve given them up...

PoPL '99David Walker, Cornell University21 BQ Example let newrgn  ; capability C = {  1 }... ; f:  [  ,  ,   {   +,   + }]. ( ,..., ( ,...) ->   ) -> ... ; cont: ({  1 },...) -> , frees region  in f [ , , {  1 }](..., cont) ; ok: {  1 }  {  + } = {  +,  + }

PoPL '99David Walker, Cornell University22 Related Work Region inference –Tofte and Talpin (PoPL ‘94) –Aiken et al. (PoPL ‘95) –Birkedal et al. (PoPL ‘96) –ML Kit with regions Effect Systems, Monads Linear Types, Syntactic Control of Interference

PoPL '99David Walker, Cornell University23 Summary Capabilities govern access to sensitive data We control capability aliasing by tracking uniqueness information The result: flexible and provably safe deallocation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.